On the security of a new image encryption scheme based on chaotic map lattices 
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This paper reports a detailed cryptanalysis of a recently proposed encryption scheme based on 
the logistic map. Some problems are emphasized concerning the key space definition and the imple- 
mentation of the cryptosystem using floating-point operations. It is also shown how it is possible 
to reduce considerably the key space through a ciphertext-only attack. Moreover, a timing attack 
allows the estimation of part of the key due to the existent relationship between this part of the 
key and the encryption/decryption time. As a result, the main features of the cryptosystem do not 
satisfy the demands of secure communications. Some hints are offered to improve the cryptosystem 
under study according to those requirements. 



Recently a new cryptosystem was proposed by 
using a chaotic map lattice (CML). In this paper, 
we analyze the security of this cryptosystem and 
point out some of its security defects. A number 
of measures have been suggested to enhance the 
security of the cryptosystem following some es- 
tablished guidelines on how to design good cryp- 
tosystems with chaos. 



I. INTRODUCTION 



Image encryption is somehow different from text en- 
cryption due to sonre inherent features of inrages, such 
as bulk data capacity and high correlation amoiig pixels. 
Therefore, digital chaotic ciphers like those in 0,|j,[a| and 
traditional cryptographic techniques such as DES, IDEA 
and RSA are no longer suitable for practical image en- 
cryption, especially for real-time communication scenar- 
ios. So far, many chaos-based image cryptosystems have 
been proposed [a,[3,SS[3- The major core of these en- 
cryption systems consists of one or several chaotic maps 
serving the purpose of either just encrypting the image 
or shuffling the image and subsequently encrypting the 
resulting shuffled image. In [l| a new image encryption 
algorithm based on chaotic map lattices has been pro- 
posed. The ainr of this paper is to assess the security of 
such cryptosystem. 

The rest of the paper is organized as follows. Sectionllll 
describes the cryptosystem introduced in [l|. After that. 
Section IIIII points out some design problems inherent to 
that cryptosystem, and Section IIVI gives some attacks 
on the cryptosystem under study. Finally, some security 
enhancements are presented in Section FVl followed by the 
last section, which presents the conclusions. 



II. DESCRIPTION OF THE ENCRYPTION 
SCHEME 

The encryption scheme described in [ij is based on the 
logistic map given by 



Xi+l 



a ■ Xi 



(1 



(1) 



For a certain value of a, the chaotic phase space is 

Given an AI x N color image with R, G, B color com- 
ponents, an initialization process is performed to con- 
vert the integer values of each pixel to real numbers that 
can work with the above chaotic logistic map. First, 
the 2-D image is scanned in the raster order (i.e., from 
left to right and from top to bottom) to form three 1- 
D integer sequences {Pc}iLi (c = R, G and B), where 
P^ G {0, • • • , 255} denotes the color component c of the 
i-th pixel. Then, the integer sequences are converted to 
three real-number sequences each of which corresponds 
to a different color component: {a;J.(0)}™ j^, where 



4(0) 



+ (Xn 



P^V255. 



(2) 



After the above initialization process, the following en- 
cryption procedure is carried out separately for each color 
component to obtain the ciphertext: 

1. Set r = 1. 

2. Set the initial condition of the logistic map as fol- 
lows: 



Xo 



x-™(r-l), 
xl-\r), 



ii2<i<m. 
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3. Iterate the chaotic logistic map from xq for n tinres 
to obtain a;„. 

4. Set xl{r) ~ x„ + x* (r - 1). If x* (r) > Xmax, then 
subtract (a;inax~2;mi,i) from x* (r) to ensure a;J.(r) G 

l-^mini •^inaxl ■ 



5. Set r = r + 1. If r < j, go to Step [2 otherwise 
the encryption procedure stops for the current color 
component. 

After performing the above encryption procedure 
for all three color components, the three sequences 
WnUmU^ {^gO)}"i and {x^^O')}™! make up the ci- 
phertext. 

As claimed in [l|, the secret key is composed of the 
following four sub-keys: 

1. The control parameter of the logistic map, i.e., a. 

2. The image height and the image width, i.e., M and 
N respectively. 

3. The number of chaotic iterations in Stcp[3l i.e., n. 

4. The number of cycles, i.e., j. 

The decryption procedure is similar to the above de- 
scription, but in an reverse order, and the following in- 
verse map 



p: 



round[(a::^(0) - Xmm) ■ 255/(a;,nax - a;min)] (3) 



is used in the last step to recover the plain-image by 
converting real numbers back to integer pixel values. 
For more details about the encryption/decryption pro- 
cedures, the reader is referred to 



r 



III. DESIGN PROBLEMS 
A. Key definition problems 

Following Kerckhoffs' principle [111], the security of a 
cryptosystem should depend only on its key. For the 
cryptosystem defined in [l[, the size of the image to be 
encrypted determines one of its four secret sub- keys. In a 
known-plaintext attack we have access to both the plain 
image and its encrypted version, which means that we 
know the size of the image. Moreover, in a ciphertext- 
only attack the value m = M x N is known and it is 
possible to get M if N is known and vice versa. There- 
fore, it is not a good idea to include the size of the image 
as part of the key, since it does not increase the difficulty 
to break the cryptosystem. 

In addition, the control parameter a of the logistic map 
is also part of the key. In [l| a is chosen in (3.57, 4) for 
the sake of the map defined in Eq. ([T|) being always 
chaotic. However, the bifurcation diagram of the logistic 
map (Fig. [T]) shows the existence of periodic windows 
in that interval. It means that a user could choose a 
such that the logistic map would be working in a non- 
chaotic area, which is not a good security critcrium when 
considering chaotic cryptosystems 0, Rule 5] . Hence, it is 
advisable to give a more detailed definition of the possible 
values of a, so that the user can only choose those values 
of the control parameter a preventing the logistic map 
from showing a periodic behaviour. 




FIG. 1: Bifurcation diagram of the logistic map showing pe- 
riodic windows. 



Finally, the other parts of the key are the number of 
iterations of the logistic map per pixel (n) and the num- 
ber of encryption cycles (j). As secret sub-keys, both 
values should possess a high level of entropy to avoid be- 
ing guessed by a possible attacker. However, it is not 
advisable to select large values for j and n, since it will 
definitely lead to a very slow encryption speed. On the 
other hand, using small values of j and n reduces the 
level of security, since those small values do not provide 
good confusion and diffusion properties. Both restric- 
tions imply a reduction of the associated sub-key space 
and thus they make the brute-force attack more likely to 
be successful. As a conclusion, it is convenient to use j 
and n as design parameters and not as part of the secret 
key. This approach has been traditionally followed with 
respect to the number of encryption rounds in classical 
schemes such as DES or AES. 



B. Underlying decryption error 

As it happens during the encryption procedure, all the 
intermediate values xl{r) obtained through the decryp- 
tion stage must be inside the phase space. This means 
that Xmin should appear in Eq. (10) and (11) in [l| in- 
stead of 0. Having in mind this consideration, the per- 
formance of the decryption process will be analyzed in 
the following. 

The cryptosystem described in [l| generates a cipher- 
text consisting of a number of real values. All the oper- 
ations to encrypt an image are performed using floating- 
point arithmetic. From Section |ll] we know that x''^{r) = 
Xn+xl{r—l), where a;„ is the resulting value of iterating 
the logistic map n times from xq. Hence, if we want to 



recover a;^(r — 1) (the original value of the i-th element 
in the last round), we have to iterate n times the logistic 
map from ccq to get Xn and, after that, to substract this 
value from x\{r). However, the resulting value of this 
previous operation might not match the actual value of 
x\.{r — 1), due to the wobbling precision problem that 
exists when dealing with floating-point operations |l2l . 
p. 39]. This wobbling precision problem also causes the 
resulting guessed value of x*(r — 1) to depend on the 
cryptosystcm implementation. Therefore, if an image is 
encrypted on one platform and decrypted on another, 
and the implementations of floating-point arithmetics on 
both platforms are not compatible with each other, then 
the decrypted image might not match the original one. 
In [l| the cryptosystem was implemented using Microsoft 
Visual C# .NET 2005 and no comment was given about 
the wobbling precision problem in the decryption process. 
However, we have experimentally verified that this prob- 
lem indeed exists when the cryptosystem is implemented 
using MATLAB. A very useful measure of the perfor- 
mance of the decryption procedure is the Mean Square 
Error or MSE. For P and P' being a plain image and 
the decrypted image respectively, the MSE for the color 
component c is defined as 



MSE, = Y^{Pl-P'y/m, 



(4) 



where ?n = M x iV is the number of pixels of the images 
considered. Consequently, for a well designed encryp- 
tion/decryption scheme the MSE should be for each 
color component. Unfortunately, for the cryptosystem 
under study, the values of MSE for all three color com- 
ponents arc generally not equal to due to the wobbling 
precision problem associated to the floating-point arith- 
metic. 

In order to evaluate the underlying decryption error 
of the cryptosystem defined in [l|, a 512 x 512 plain- 
image "Lena" , as shown in Fig. [21 was encrypted and 
decrypted using the same key (n, j, a) = (30, 1, 3.9). The 
results showed that the three MSEs obtained for the red, 
green and blue components of the decrypted image with 
respect to the original one were 6.49, 0.018, 0.057, re- 
spectively. For another key {n,j,a) = (30,3,3.9), the 
obtained MSEs were 206.96, 123.45, 58.65, respectively. 
Figure [3] shows the decrypted image and the error image 
when the cryptosystem was implemented in MATLAB 
using a third key (n, j, a) = (5, 2, 3.9). 



IV. ATTACKS 

A. Control parameter estimation 

The maximum value of Xi+i in Eq. ([1]) is reached when 
Xi = 0.5, which informs that the maximum value of a 
sequence generated from the iteration of the logistic map 
is a/4, i.e., Xmax = maxd^^}) < a/4. The ciphertext 
of the cryptosystem proposed in [l[ is composed of 3m 




FIG. 2: The plain-image "Lena". 



real values, each of which is in the range [xmin , a;max] ■ 
This means that it is possible to approximate x^ax = 
a/4 as the maximum value of all the real values in the 
ciphertext, i.e.. 



4(j)- 



(5) 



Then, from Xmax = a/4, one can estimate the secret value 
of the control parameter a as 



4 -in 



(6) 



Consequently, if we have a ciphertext, we can esti- 
mate the value of the sub-key a. In other words, a 
ciphertext-only attack allows us to estimate the sub-key 
a. In this sense, the image "Lena" (Fig. [2]) was encrypted 
for n ~ 20, j = 1 and different values of a e [3.8,4]. 
These values of a were then estimated from the cipher- 
texts by applying Eqs. ([5]) and ([B]). The estimation errors 
are shown in Fig. [H The average estimation error was 
5.236228 x 10~^, whereas the maximum and minimum 
errors were 3.481322 x 10"^ and 2.758853 x 10"^, respec- 
tively. By increasing the value of j from 1 to 3 and keep- 
ing the other sub-keys unchanged, the parameter estima- 
tion errors are shown in Fig. [51 being the mean estimation 
error 4.721420 x 10"*^, the minimum error 1.212016 x 10"^ 
and the maximum error 3.355227 x 10~^. 

Finally, in Figs.[n]and[7]the sensitivity of the cryptosys- 
tem with respect to the control parameter a is shown. 
This sensitivity is measured using the Peak Signal to 
Noise Ratio (PSNR), which is defined for the color com- 
ponent c as 



PSNRc = 10 • log 



/ 2552 



10 



V MSEc 



(7) 



Figure [6] displays the PSNRs of the different color 
components of the decrypted image "Lena" with respect 
to the original image "Lena" for a G [3.8,4] when the 
same key is used for encryption and decryption. The 





(a) 



(b) 




FIG. 3: Simulations with MATLAB (a) Ciphertext of the plain-image "Lena" (visualized as a pseudo-image by using Eq. (|3])) 
(b) Recovered image of "Lena" using the same key (c) The error image between the original and the recovered "Lena" . 



values of the other sub- keys are n = 20, j = 3. On 
the other hand. Figure [7] shows the PSNRs when the 
control parameter used in decryption shows some devia- 
tion from that employed in the encryption process. One 
can see that for a deviation of the control parameter 
of less than 10"^*^ and for a certain range of values of 
the control parameter, it is possible to recover the origi- 
nal image "Lena" with a similar PSNR to that obtained 
using the correct control parameter. For instance, for 
a = 3.845621 the PNSRs for the red, green and blue com- 
ponents of the recovered "Lena" are 35.899819, 60.437331 
and 63.853450, respectively. For the same value of a and 
a parameter estimation error equal to 10"^'^, the PSNR 
of the recovered "Lena" with respect to the original one 
is 17.480625 for the red component, 18.622578 for the 
green and 20.019512 for the blue component. 



B. Timing attack 



One important feature of a secure encryption scheme 
is that the encryption speed should not depend on the 
key value. Indeed, if the time consumed on encryp- 
tion/decryption is correlated with the value of the key 
(or a sub- key), then it is possible to approximate that 
(sub-) key. This kind of attack is called timing attack 
[13l . [l4| . As it has been shown in Section |TT1 in every 
encryption round. Step [3] is carried out through the n it- 
erations of Eq. Ilj, where n is a sub-key. This means 
that, for a certain number of encryption rounds (i.e., 
a certain value of j) and a certain value of the control 
parameter a, the encryption speed decreases as n does. 
Similarly, because the encryption/decryption procedure 
is composed of j repeated cycles, the encryption speed 
will also become slower if the value of j increases. To be 
more precise, for a given plain-image, we can expect the 
existence of the following bi-linear relationship between 
the encryption/decryption time (EDT) and the values of 
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FIG. 4: Parameter estimation errors corresponding to the 
image "Lena", when n = 20 and j = 1. 




FIG. 5: Parameter estimation errors corresponding to the 
image "Lena", when n = 20 and j = 3. 



n and j: 



EDT{n,j) ^ {cxn + da) x j + di, 



(8) 



where c corresponds to the common operations consumed 
on each chaotic iteration, do to the operations performed 
in each cycle excluding those about chaotic iterations, 
and di to those operations performed on the initialization 
process and the postprocessing after all the j cycles are 
completed. In addition, because a is just the control 
parameter of the chaotic map, it is expected that EDT 
will be independent of its value. 

With the aim of verifying this hypothesis, some exper- 
iments have been made under the following scenario. An 
image with random pixel values of size 256 x 256 was en- 
crypted for different values of a, n and j. The encryption 
time corresponding to each key is shown in Fig. [SJ from 
which one can see that Eq. ([8]) is verified. 

The above experimental results ensure the feasibility 
of a timing attack to a sub-key of the cryptosystcm un- 



der study: by observing the encryption time, it is pos- 
sible to estimate the values of n if j is known and vice 
versa. Without loss of generality, assuming an attacker 
Eve knows the value of n, but not that of j, let us demon- 
strate how the timing attack can be performed in prac- 
tice. In this case, the relationship between EDT and the 
value of j can be simplified as EDT{n,j) = c„ x j -|- d„, 
where Cn = c x n and dn = do x j + di. Then, if Eve 
gets a temporary access to the encryption (or decryp- 
tion) machine, she can carry out a real timing attack in 
the following steps: 

1. She observes the whole process of encryption (or 
decryption) to get the encryption (or decryption) 
time tj and also the size of the ciphertext (i.e., the 
size of the plaintext). 

2. By choosing two keys with different values of j, she 
encrypts^ a plaintext (or decrypts a ciphertext) of 
the same size and gets ti and t2. 

3. She derives the values of c„ and d„ by substituting 
ti and t2 into EDT{n,j) ~ Cn x j + dn- 

4. She estimates the value of j to be j = round((fj — 

dn)/Cn)- 

5. She verifies the estimated value j by using it to 
decrypt the observed ciphertext. If the recovered 
plaintext is something meaningful, the attack stops; 
otherwise, she turns to search the correct value of 
j in a small neighborhood of j until a meaningful 
plaintext is obtained. 

The above timing attack actually reveals that partial 
knowledge about the key constitutes useful information 
to determine the rest of the key. However, such a prob- 
lem should not exist for a well-designed cryptosystem [3, 
Rule 7]. Hence, we reach the conclusion that the cryp- 
tosystem proposed in [l[ was not well designed. 

Finally, it deserves being mentioned that the linear 
relationship between the encryption/decryption time and 
the value of j has been implicitly shown in [l|. Table I] . 
There, for an image of size 300 x 200 and j equal to 1, 
2 and 3, the encryption times were observed to be 13.6, 
26.7 and 39.1 seconds, respectively. This clearly showed 
a linear relationship between the encryption time and 
the value of j. Unfortunately, the authors of [l| did not 
realize that this is a security defect that could be used to 
develop the timing attack reported in this paper. 



V. ENHANCEMENTS 

To overcome the problems of the original cryptosys- 
tem, we propose to enhance it by applying the following 



^ Please note that this can be done on her own computer, as long 
as she has the encryption/decryption software installed. 
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FIG. 6: PSNRs of the decrypted image "Lena" with respect to different values of the control parameter a. 



rules: 



• Use a piccewise linear chaotic map (PWLCM) [T5| 
instead of the logistic map for the size of the chaotic 
phase space being independent with respect to the 
control parameter value. Indeed, the chaotic phase 
space of the PWLCM is (0,1) for all the values 
of the control parameter. The PWLCM also has 
a uniform invariant probability distribution func- 
tion, which makes impossible to estimate the con- 
trol parameter through the maximum value of the 
ciphertext, as we can do for the cryptosystem under 
study. 

• The wobbling precision problem should be circum- 
vented by forcing fixed-point computations. A pos- 
sible solution is to transform the values of the phase 
space of the chaotic map into integer values, so the 
encryption and decryption operations are carried 
out using integer numbers instead of real numbers. 

• Without loss of security, the enhanced cryptosys- 
tem should be easy to implement with acceptable 
cost and speed [2|, Rule 3]. It is expected that the 
enhanced cryptosystem can encrypt at least a pixel 
per iteration to reach high encryption/decryption 
speed. 

• The key of the enhanced cryptosystem should be 
precisely defined 0, Rule 4], and the key space 



from which valid keys are chosen should be pre- 
cisely specified and avoid non-chaotic regions [3, 
Rule 5]. This can be assured by choosing the con- 
trol parameter(s) of a PWLCM as the secret key, 
because for every valid control parameter, the be- 
havior of the PWLCM is chaotic. 

Having in mind today's computer speed, the key 
space size should be k > 2^"° = 10^° in order 



to elude brute-force attacks [3, Rule 15]. In the 
encryption scheme defined in [l| every color com- 
ponent is encrypted independently from the other 
color components. Nevertheless, the secret key em- 
ployed in the encryption process of each color com- 
ponent is the same. It is convenient to use a dif- 
ferent value of the key for each color component 
and make the encryption of the three color compo- 
nents dependent on each other, since this implies a 
considerable increase of the key space. It has been 
tested that the sensitivity of the PWLCM with re- 
spect to the control parameter is around 10^^". 
Therefore, when the control parameter is used as 
the key of the cryptosystem, the size of the key 
space will be k = 10^°. Nonetheless, if we use a dif- 
ferent value of p for every color component, and the 
encryption of each color component depends on the 
others, the size of the key space will he k = 10"^", 
which satisfies the security requirement related to 
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FIG. 7: PSNRs of the decrypted image "Lena" with respect to different values of the control parameter a and different parameter 
estimation errors. 



the resistance against brute-force attacks. 
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